The financially motivated FIN8 actor, in all likelihood, has resurfaced with a never-before-seen ransomware strain called “White Rabbit” that was recently deployed against a local bank in the U.S. in December 2021.
That’s according to new findings published by Trend Micro, calling out the malware’s overlaps with Egregor, which was taken down by Ukrainian law enforcement authorities in February 2021.
“One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine,” the researchers noted. “This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.”
Egregor, which commenced operations in September 2020 until its operations took a huge hit, is widely believed to be a reincarnation of Maze, which shut down its criminal enterprise later that year.
Besides taking a leaf out of Egregor’s playbook, White Rabbit adheres to the double extortion scheme and is believed to have been delivered via Cobalt Strike, a post-exploitation framework that’s put to use by threat actors to reconnoiter, infiltrate, and drop malicious payloads into the affected system.
images from Hacker News